Document Woodpecker multi-pipeline secret validation quirk #364

New issue

Open

opened 2026-05-10 17:12:34 +00:00 by ldraney · 0 comments

ldraney commented

2026-05-10 17:12:34 +00:00

Owner

Type

Spike

Context

Discovered during T3 validation (validation-360-2026-05-10). When a Woodpecker repo uses multi-pipeline discovery (.woodpecker/ directory with multiple YAML files), Woodpecker validates secrets from ALL discovered pipelines against the triggering event type — even pipelines whose when conditions exclude that event.

Problem

The pal-e-platform repo has two pipelines:

.woodpecker/terraform.yaml — triggers on push/pull_request
.woodpecker/ruby-arch.yaml — triggers on manual/cron

When a manual pipeline is triggered, Woodpecker validates the terraform pipeline's 25 secrets against the manual event. If those secrets only allow push/pull_request, the entire pipeline run errors with secret X is not allowed to be used with pipeline event manual.

Resolution Applied

Updated all 25 existing repo secrets to allow manual and cron events in addition to push and pull_request. This is safe but non-obvious.

Deliverable

Document this behavior in a convention or SOP note so future multi-pipeline repos don't hit the same wall
Consider whether Terraform should manage Woodpecker secret event filters to prevent drift
Evaluate if Woodpecker upstream has plans to fix this (only validate secrets for pipelines that will actually run)

### Type Spike ### Context Discovered during T3 validation (`validation-360-2026-05-10`). When a Woodpecker repo uses multi-pipeline discovery (`.woodpecker/` directory with multiple YAML files), Woodpecker validates secrets from ALL discovered pipelines against the triggering event type — even pipelines whose `when` conditions exclude that event. ### Problem The `pal-e-platform` repo has two pipelines: - `.woodpecker/terraform.yaml` — triggers on `push`/`pull_request` - `.woodpecker/ruby-arch.yaml` — triggers on `manual`/`cron` When a manual pipeline is triggered, Woodpecker validates the terraform pipeline's 25 secrets against the `manual` event. If those secrets only allow `push`/`pull_request`, the entire pipeline run errors with `secret X is not allowed to be used with pipeline event manual`. ### Resolution Applied Updated all 25 existing repo secrets to allow `manual` and `cron` events in addition to `push` and `pull_request`. This is safe but non-obvious. ### Deliverable - [ ] Document this behavior in a convention or SOP note so future multi-pipeline repos don't hit the same wall - [ ] Consider whether Terraform should manage Woodpecker secret event filters to prevent drift - [ ] Evaluate if Woodpecker upstream has plans to fix this (only validate secrets for pipelines that will actually run)